Best Practices Against Phishing, Smishing and Vishing

What are they?

Phishing is a type of attack where social engineering techniques are used to capture sensitive information from a victim via email. A threat actor using this type of attack seeks to trick email recipients into providing sensitive information by clicking on malicious attachments and/or URLs, or sharing data on fraudulent pages. To do so, the attacker simulates a credible brand or impersonates someone trustworthy. When this technique is used via SMS it is called smishing, and by phone (voice) it is called vishing. This technique can also be used through instant messaging on social networking applications.

What to do

• Do not click on attachments or links in suspicious emails, instant messages, or SMS;
• When contacted, confirm the veracity of the source email address, profile, or phone number;
• Always assess the appropriateness of the content of emails, instant messages, SMS, or phone calls;
• Do not share personal data or follow instructions without verifying the veracity of the request with other sources – for example, with the Bank's account manager or a hierarchical superior;
• Be suspicious of messages with formal language errors, but also do not trust all messages just because they do not have formal language errors;
• In organisations, carry out simulations of phishing and smishing attacks, and possibly vishing, in order to raise awareness and levels of attention to these means;
• Do not share sensitive data on social networks as this may provide information to possible attackers who want to carry out spear phishing (phishing aimed at a specific person);
• Report to those responsible for IT security in the organisation or to the authorities whenever you are the target or victim of an attack of this type;
• Be vigilant and not let yourself be persuaded without reflection by authoritarian requests, promises, or urgent requests.

Data

• Phishing and smishing have been the types of incidents most recorded by CERT.PT: in 2019 they corresponded to 31% of recorded incidents and in 2020 to 43%, having risen that year in absolute terms by 160% (CNCS, Risks and Conflicts 2021);
• We can see that 2021 maintained an upward trajectory and that the periods with the highest volume of incidents, particularly phishing and smishing, were those of greater social confinement as a result of the Covid-19 pandemic (CNCS, Bulletin No. 4/2021);
• According to a content analysis of phishing and smishing recorded by CERT.PT during the second quarter of 2020, it appears that the type of persuasion most used by attackers, in 90% of cases, is the argument of the authority/credibility of the issuer (a Bank, for example), 79% of messages encourage login into an account, 12% ask for data related to a product/service, 7% promise a financial gain and 3% refer to filling in a document (CNCS, Bulletin No. 3/2020).